Thanks, that clarifies quite a bit. The permissions are being applied to "System" for the regular UserRole, but I don't see where to define what objects the roles are assigned to.


On Wed, May 7, 2014 at 2:28 AM, Oved Ourfalli <ovedo@redhat.com> wrote:
Hi Jeff

Roles determine two things:
1. What the user can see
2. What the user can do

It is important to know on who is the user, what is the role (UserRole? as you also mentioned SuperUser?) and on what object(s) was the role granted on.
Assuming it is UserRole, on a specific user, then:
If on a VM, then the user can see/operate on this VM.
If on a Cluster, then the user can see/operate on all the VMs in this cluster.
If on a DC, then the user can see/operate on all the VMs in clusters that are part of this DC.
If on System, then the user can see/operate on all the VMs in the system.

So the hierarchy is System-->DC-->Cluster-->VM.
I hope this clarifies you question.

Regards,
Oved


----- Original Message -----
> From: "Jeff Clay" <jeffclay@gmail.com>
> To: users@ovirt.org
> Sent: Monday, May 5, 2014 10:31:53 PM
> Subject: [ovirt-users] user portal permissions
>
> For some reason, when logged in as a user with a modifed copy role of
> UserRole (only has login permssion and VM -> Basic Operations -> Remote Log
> In permission) the user can see all of the VM's and has the ability to open
> a console, start, shutdown or suspend any of the VM's. I have verified that
> all of the VM's only show the SuperUser role in their permissions. I went
> through all of the roles and verified that the user is only a member of the
> Copy_of_UserRole. The only thing I can think of is that the user is
> inheriting permissions from something, but I can't find what it is or where.
> Any suggestions?
>
> Thanks.
>
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>